Home > FileVault 2, Mac administration, Mac OS X > Yosemite’s FileVault 2 pre-boot recovery options

Yosemite’s FileVault 2 pre-boot recovery options

One of the changes that Apple has introduced with Yosemite is a more straightforward way to recover from login problems at the FileVault 2 pre-boot login screen.

When a FileVault 2-encrypted Mac sits for more than a minute with an account selected at the FileVault 2 pre-boot login screen, a message like the one below should appear:

If you’re having a problem entering your password, press and hold the power button on your Mac to shut it down. Then press it again to start it up in the Recovery OS.

Screen Shot 2015-01-15 at 1.40.50 PM

If the instructions are followed, the Mac will boot from the Mac’s recovery partition on the next startup and go into a Reset Password wizard.

In the Reset Password wizard, there are currently three options available.

  1. I forgot my password
  2. My password doesn’t work when logging in
  3. My keyboard isn’t working when typing my password to login

Screen Shot 2015-01-16 at 8.20.23 AM

Each option will do different things, so let’s take a look at each. For more details, see below the jump.

I forgot my password

The I forgot my password option is most useful to folks who had chosen the option when enabling FileVault 2 to use their Apple ID to unlock the disk and reset your password.

screen-shot-2014-10-25-at-11-33-13-pm

If the user in question had set up their Apple ID to unlock the disk and reset their password, the following options are available:

A. Log in with your Apple ID

Screen Shot 2015-01-16 at 8.20.49 AM

B. The Reset Password wizard will check the locked disk.

C. The Mac will communicate back with Apple to match the Apple ID against the FileVault 2 recovery key that was stored with Apple.

Screen Shot 2015-01-16 at 8.21.13 AM

D. You’ll be prompted to reset your account’s password to a new one.

Screen Shot 2015-01-16 at 8.21.45 AM

Note: This password reset process is designed to reset the password of a local account. If the password reset process is run against a network account which has been enable for FileVault 2, the password sync may be broken between the network account and the directory service that manages the account.

E. You’ll be notified that your password has been reset and that you can now reboot and log in at the FileVault 2 pre-boot login screen.

Screen Shot 2015-01-16 at 8.22.13 AM

If the option of using an Apple ID to unlock the disk and reset passwords had not been chosen, the Reset Password wizard notifies the user that their FileVault recovery key had not stored with Apple and that iCloud FileVault recovery is not available. Instead, the user will need to provide their recovery key at the pre-boot login screen.

Screen Shot 2015-01-15 at 1.43.12 PM

My password doesn’t work when logging in

The “My password doesn’t work when logging in” option will provide another option for resetting your password, but it relies on the user actually knowing the correct password or having the password to another FileVault 2-enabled account on the Mac.

If the user has the correct password or the password to another account on the Mac which has been enabled for FileVault 2, selecting the “My password doesn’t work when logging in” option will go through the following process:

A. Asking for a password to unlock the boot volume.

Screen Shot 2015-01-15 at 1.43.39 PM

Note: This can be the user’s account password (if known and correct) or the password to another FileVault 2-enabled account on the Mac.

B. Select the relevant account.

Screen Shot 2015-01-15 at 1.44.11 PM

Note: This password reset process is designed to reset the password of a local account. If the password reset process is run against a network account which has been enable for FileVault 2, the password sync may be broken between the network account and the directory service that manages the account.

C. Enter and verify a new password.

Screen Shot 2015-01-15 at 1.44.29 PM

D. You’ll be notified that your password has been reset and that you can now reboot and log in at the FileVault 2 pre-boot login screen.

Screen Shot 2015-01-15 at 1.45.01 PM  

My keyboard isn’t working when typing my password to login

The “My keyboard isn’t working when typing my password to login” option will provide the option of decrypting your FileVault 2 encrypted Mac. If the user has their account password or the password to another FileVault 2-enabled account on the Mac, selecting the “My keyboard isn’t working when typing my password to login” option will go through the following process:

A. Asking for a password to disable the FileVault 2 encryption on the boot volume.

Screen Shot 2015-01-16 at 8.21.13 AM

Note: This can be the user’s account password (if known and correct) or the password to another FileVault 2-enabled account on the Mac.

B. You’ll be notified that the boot volume has been decrypted and that you can now reboot and log in without being stopped at the FileVault 2 pre-boot login screen.

Screen Shot 2015-01-15 at 1.45.56 PM

One thing to be aware of is that the decryption process has only been initiated. Decryption will proceed once the Mac has been booted from a drive that is running a regular installation of Yosemite.

  1. Peter Trondsen
    January 21, 2015 at 5:03 pm

    I got the “Forget Password” screen after a crash, and I couldn’t get out of it.
    I put in my Key and it started to Decrypt the hard drive, which was going to take 2 hours, I tried to cancel it, but couldn’t. I then rebooted, and the Mac got stuck halfway starting up. That was it, I was hosed. Luckily I had backed up fairly recently. I just don’t know why it forced me to put in the password.

    • Justin
      December 15, 2015 at 4:22 pm

      i find that just restarting the machine and resetting PRAM brings you back to the normal boot screen.

  2. Taylor Armstrong
    January 21, 2015 at 5:56 pm

    This gives me heartburn from an Enterprise/Security standpoint. Not that it couldn’t be done without Apple providing the instructions, but still… essentially defeats the purpose of encryption for us.

    • Maurits Sanders
      May 26, 2015 at 7:21 pm

      @Taylor Armstrong: I don’t understand why this gives you heartburn.
      Before Yosemite one could store the recovery key at apple (needed 3 security questions). All that changed is that the recovery key is now stored at iCloud, and apple added a tool to grab the recovery key from iCloud for you (instead of calling Apple, answering the 3 security questions, typing in the recovery key)

      Apple is smart enough to design FileVault2 as really safe as on previous versions of OS X.

      I am not sure what the Institutional FileVault keys do at Yosemite. I hope they will work similarly as in Mavericks, so NOWHERE storing user’s recovery keys, JUST the institutional keys to recover data in case a user is stupid enough to forget his password.
      (how can you, when you have to type it every time you boot or wake the computer?)
      See https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-with-fdesetup/ with lots of details.

  3. Clairemd
    May 25, 2015 at 4:35 pm

    hi! Im locked out of my mac for three days since i forgot my password. Been doing the recovery os and reset password but not successful. When i reset it using my apple id it says i am unable to connect to icloud and need to verify my internet connection (it is connected — have an iPhone that is connected to the same network). In the recovery part i dont see my mac hd to choose from after typing ‘reset password’ on the terminal disk utility screen. I need help. Thanks.

  4. Maurits Sanders
    May 26, 2015 at 7:10 pm

    @Clairemd: In one test with the FileVault recovery keys stored at iCloud, I found that you had to do the two steps after each other:

    1-first procedure “i Forgot My Password”
    (note that at the end the wizard notes: ‘You can now unlock the disk with your new password”, not ‘you can log in with your new password’)

    2-Then you have to reset the user’s login password, using the procedure “My password doesn’t work when logging in”. In this procedure you type the (just resetted at step 1 , new) password to unlock the disk. Then reset the user’s password to the new password.

    I found this confusing that procedure 1 does not do the second step, but it seemed to be the only way. Maybe my test had some bugs, or I entered a wrong password, but maybe my tips will help you to unlock your disk AND user login.

    Tip : it is smart to use the same new password in step 2, to make sure they are in sync, otherwise you always have to type two passwords, one at boot time to unlock the disk, and one at login time to log in as the user

  5. will
    June 16, 2015 at 6:08 am

    thanks for the info, I forget my firevault password, and I enter my iCloud account and enter to my mac eassy

  6. Bill
    July 9, 2015 at 6:25 pm

    Thanks for the tips! I have a strange problem with my wife’s File Vault 2-enabled Mac mini. I have to take it to work to download updates as we have limited internet bandwidth at home. Every time I take it to work and download updates, when I get back home I have to go through a password reset. It never gives me an account to log into–it shows a progress bar for a few minutes, then goes straight to password reset (it gives three options: your password doesn’t work; you forgot your password; your keyboard doesn’t enter your password). Once I reset the password, the mini starts up normally and goes through an endless loop of requesting the iCloud password until I press cancel. Then everything works okay until once again I have to unplug and take the mini in to work. Any ideas?

  7. Jesus Davalos
    September 11, 2015 at 7:42 am

    I try to do this with my iCloud password but always told me that there is an error communicating with iCloud

  8. Jesus Davalos
    September 11, 2015 at 7:55 am

    Unable to connect to iCloud. Please verify your internet connection. It says that, but i do have a very good internet connection!!!

  9. Jody
    December 11, 2015 at 3:32 am

    since my problem is
    “my keyboard isn’t working when typing my password to log in”
    how am I able to input my password, on my keyboard, to disable fire vault!

  10. January 14, 2016 at 5:07 pm

    This is a mess, I was out of the office and came back to a now encrpyted mac where I’ve never set this file vault BS up. Never associated my icloud because this is my work laptop and the local admin password is not working. Just a mess like when someone enters their icloud ID into an iphone and then gets fired, the phone is then worthless. Apple will always be a single user / home user device with the trend of personal emails and icloud leading their configuration requirements.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: